OWASP Israel 2007 Conference at the Interdisciplinary Center Herzliya (IDC)
OWASP Israel 2007 Conference was held at the Interdisciplinary Center (IDC) Herzliya on Dec 3rd 2007. More than 200 people attended the conference and enjoyed interesting presentations, a great networking opportunity. OWASP Israel 2007 became a must be for any application security professional and drew a lot of people from the wider information security community as well.
- 1 Sponsors & Contributors
- 2 Program
- 2.1 Cross Site Request Forgery - Overview and Solutions
- 2.2 Defeating Web 2.0 Attacks without Recoding Applications
- 2.3 Hunting Down XSS Vulnerabilities
- 2.4 The National Information Security Forum
- 2.5 How Dangerous Is It Out There?
- 2.6 SOA security
- 2.7 The PKI Lie - Attacking Certificate-Based Authentication
- 2.8 Harvesting Skype Super-Nodes
- 2.9 Smuggling SQL injection attacks
Sponsors & Contributors
The meeting is sponsored by Breach Security, Hacktics, GamaSec, Applicure, The National Information Security Forum and the Efi Arazi school of Computer Science at the Interdisciplinary Center (IDC) Herzliya.
I would also like to thank those individuals which without their help this event would not be possible:
- Dr. Anat Bremler-Bar, our host at the IDC.
- Shay Shuker, on helping with organization.
- Bat-Sheva Shezaf, who took pictures.
The following presentation where given at OWASP Israel 2007:
Ofer Shezaf, OWASP IL chapter leader, Breach Security
Cross Site Request Forgery (CSRF) made the highest entry into this year's version of the OWASP top 10, jumping straight to number 5. But as common and dangerous as it is, CSRF has remained obscured to many, and the ways to protect your application even less well understood. This turbo talk will provide an overview of CSRF and the common ways to mitigate it, leading to Amichai Shulman’s presentation which will present innovative methods for protecting from CSRF.
Ofer will also update on the OWASP 2007 conference in San Jose and other OWASP news.
Amichai Shulman, CTO, Imperva
This talk was presented in OWASP 2007 in San Jose.
Hunting Down XSS Vulnerabilities
Erez Metula, Application Security Department Manager, 2Bsecure
XSS is the most common web application vulnerability and leads the OWASP top 10. The lecture will discuss automatic and manual approaches for detecting XSS vulnerabilities. Erez will present tools used to find XSS vulnerabilities as well as innovative method to overcome obstacles when looking for vulnerabilities.
The National Information Security Forum
Avi Weissman, CEO, See-Security
Avi will take 10 minutes to announce and describe the new national information security forum (NISF), a new information security initiative that we welcome and would like to cooperate with at OWASP.
How Dangerous Is It Out There?
Dror Paz, Director of Professional Services, Breach Security
One of the key issues facing application security professionals is the lack of information about the actual risk. The number of reported incidents is small, and therefore while the potential danger of web layer attacks is known, whether and how this potential is abused is a great mystery. In the presentation, Dror Paz will show what’s really happening out there, based on work done in project such as the open proxy honeypot project, WASC statistics project and the Web Hacking Incidents database as well as information gathered (incognito) from Breach installations around the globe.
this presentation was canceled since Dror was sick and would be rescheduled for a future OWASP meeting.
Iris Levari, Amdocs
As application security specialists we need to follow up with information technology trends. Service Oriented Architecture (SOA) is a new method for developing large scale enterprise applications that promise to revolutionize the IT landscape. Applications built around SOA isolates each business process into a separate service that can serve and interconnect with other services. SOA can use different technologies such as XML, Web Services and SOAP as its infrastructure. The presentation will explain SOA and discuss the security features and considerations when adapting SOA.
Ofer Maor, CTO, Hacktics
While public key cryptography and client side certificates have certainly proved to be a very valuable security mechanism, blind reliance on them may lead to a disaster. These complex technologies are prone to implementation and deployment mistakes that hinders them useless. Ofer will discuss and demonstrate some common implementation pitfalls he often sees in real life PKI based authentication systems.
This talk was presented in OWASP 2007 in San Jose.
Omer Dekel, IDC
Skype has revolutionized the way we use VoIP and has entered almost every network and all parts of the Internet. However, little is known about the way the Skype Network operates. Further, since its traffic is encrypted and bypasses firewalls, the network administrators have almost no ability to monitor or filter Skype. In this work we explore the possibility of filtering Skype traffic by harvesting its Super Nodes (SNs), which form the heart of Skype, and of blocking the network nodes from connecting to them. Using experimental results and an analytic model we show that it is possible to collect a large enough number of SNs as to block, with a probability higher than 95%, the service for an arbitrary connecting client.
This talk is based on a research project done with Dr. Anat Bremler-Barr (IDC) & Prof. Hanoch Levy (ETH)
Smuggling SQL injection attacks
Avi Douglen, ComSec
SQL Injection is a common, well-understood application-level attack against databases. Several protection mechanisms exist for protecting from SQL injection attacks, including input validation and use of stored procedures. The presentation will discuss novel techniques to bypass these protection mechanisms by exploiting differences in interpretation between systems.
This is a new research work presented for the first time in OWASP Israel 2007.